Wednesday, January 13, 2016

Internet Explorer End-of-Life Security Tips


PORTLAND, Ore.--(BUSINESS WIRE)--Beginning on Tuesday, January 12, 2016, Microsoft will no longer support Internet Explorer (IE) 8, 9 and 10. Users of IE 11 will continue to receive technical support and security updates, leaving users of legacy versions of IE more vulnerable to malware. According to Computerworld, only 55 percent of IE users – more than 340 million people – are using the latest version of the browser.

“It is safe to assume that cybercriminals have been stockpiling IE vulnerability information ahead of the support cutoff, and they will easily learn new attack techniques for older versions by analyzing future IE 11 updates,” said Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT). “Using Tripwire’s VERT vulnerability database, rough estimates indicate that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous IE versions.”

Tripwire security experts offer the following advice for organizations that cannot switch to IE 11 by the cutoff date:

• Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks.

• Businesses with application requirements for older Web browsers should block browsing from vulnerable systems. This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web.

• IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers.

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”